AMD says its Secure Processor is impenetrable. Instead, it can harbor malware.

Share this story

Secure enclaves like the one found in iPhones are intended to be impenetrable fortresses that handle tasks too sensitive for the main CPUs they work with. AMD's version of that co-processor contains a raft of critical flaws that attackers could exploit to run malware that's nearly impossible to detect and has direct access to a vulnerable computer's most sensitive secrets, a report published Tuesday warned. The chips also contain what the report called "backdoors" that hackers can exploit to gain administrative access.

The flaws—in AMD's EPYC, Ryzen, Ryzen Pro, and Ryzen Mobile lines of processors—require attackers to first gain administrative rights on a targeted network or computer, which is a hurdle that's difficult but by no means impossible to clear. From there, attackers can exploit the vulnerabilities to achieve a variety of extraordinary feats that would be catastrophic for the owners' long-term security. Among other things, the feats include:

“All these things are real”

The four classes of vulnerabilities—dubbed Masterkey, Ryzenfall, Fallout, and Chimera—were described in a 20-page report headlined "Severe Security Advisory on AMD Processors." The advisory came with its own disclaimer that CTS—the Israeli research organization that published the report—"may have, either directly or indirectly, an economic interest in the performance" of the stock of AMD or other companies. It also discloses that its contents were all statements of opinion and "not statements of fact." Critics have said the disclaimers, which are highly unusual in security reports, are signs that the report is exaggerating the severity of the vulnerabilities in a blatant attempt to influence the stock price of AMD and possibly other companies. Critics also faulted the researchers for giving AMD just 24 hours to review the report before it went public and using a dedicated-website to bring attention to the flaws.

AMD officials released a statement that read: "At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings."

Still, Dan Guido, a chip security expert and the CEO of security firm Trail of Bits, told Ars that whatever ulterior motives it may have, the paper accurately describes a real threat. After spending much of last week testing the proof-of-concept exploits discussed in the paper, he said, he has determined that the vulnerabilities they exploit are real.

"All the exploits work as described," he said. "The package that was shared with me had well-documented, well-described write-ups for each individual bug. They're not fake. All these things are real. I'm trying to be a measured voice. I'm not hyping them. I'm not dismissing them."

Once hackers gain low-level access to a targeted network, they typically collect as much data as they can as quickly as they can in hopes of elevating their privileges. All that's required to exploit the AMD chip vulnerabilities, Guido said, is a single administrator credential inside the network.

"Once you have administrative rights, exploiting the bugs is unfortunately not that complicated," he said.

Bypassing signature checks

While AMD chips are supposed to require the firmware that runs on them to be digitally signed, Guido said the exploits massage the code in a way that allows uploaded firmware to pass validation checks without a valid signature. Once the attacker's malicious firmware is running on the processor, it's nearly impossible to detect using today's tools. What's more, the firmware has direct access to protected memory, hard drives, input/output devices and other computer components that might be out of bounds to more traditional malware.

"I ran the exploit code that let me get shells," Guido said. "They do make a bad compromise significantly worse. There are no tools to help you find if these issues have been exploited." The vulnerabilities, he said, are unrelated to a code-execution flaw disclosed in January in AMD's trusted platform module.

Not so fast

Other researchers played down the severity of the flaws and questioned the veracity of the report, which was published the same day that short seller Viceroy Research issued a report saying AMD shares might lose all their value. AMD shares initially fell following publication of the reports, but they eventually closed higher. The report's critics, meanwhile said the requirement that an attacker already have administrative rights meant the vulnerabilities weren't as severe as portrayed.

"All the exploits require root access," said David Kanter, a chip expert who is founder of Real World Technologies. "If someone already has root access to your system, you're already compromised. This is like if someone broke into your home and they got to install video cameras to spy on you."

Still, Kanter agreed with Guido that the vulnerabilities were a major embarrassment for AMD, particularly because most of them reside in the Platform Secure Processor, which is AMD's version of the secure enclave in the iPhone. Unlike Apple, which custom-designed its secure enclave, AMD relies on a 32-bit Cortex A5 processor designed by ARM.

AMD's Secure Processor, Guido said, "is intended to be the one defensible part of the processor. The fact that you can upload unsigned code and get it to pass validation and the fact that you can manipulate all the mail slot handlers is not what I would expect as someone who needs to trust this component."

In a series of tweets, Gadi Evron, a veteran security researcher and the CEO and founder of security firm Cymmetria, also confirmed the accuracy of the findings even as he declined to defend the way they were disclosed.

First, https://t.co/YHJ4rWFLvN's findings are real. I can confirm they have a PoC on everything. More specifically:1. All vulnerabilities do not require physical access (need ability to run exe as admin)2. Fallout does not require reflash of the BIOS, you can just run it[2/3]

Other vulnerabilities were the result of what Tuesday's advisory said were manufacturer "backdoors" that were built into a chipset that connects Ryzen and Ryzen Pro processors to hardware devices such as Wi-Fi chips and network cards. One of the backdoors is built into the firmware, the report contended, while the other resides in the hardware. AMD's partner for the chips, the report said, is ASMedia. In 2016, ASMedia parent company ASUSTeK Computer settled charges brought by the Federal Trade Commission that alleged it neglected security vulnerabilities. The settlement requires ASUSTek to undergo external security audits for 20 years.

Tuesday's report went on to warn that the Chimera vulnerabilities resulting from the purported backdoors may be impossible to fix.

As explained earlier, the report's findings are highly nuanced because they're premised on an already serious compromise that allows attackers to gain administrative control of a computer running one of the vulnerable AMD processors. That steep bar is countered by an achievement that's not possible with most exploits Specifically:

The ability to take complete control over the affected machine, including parts that are normally isolated from malware

The ability to run malicious code before the operating system boots and for infections to persist even after the operating system is reinstalled

The ability to bypass advanced protections such as Windows 10 Credential Guard

People who rely on AMD chips shouldn't panic, but they also shouldn't discount the warnings contained in the report, despite the questionable motivations for its release.

Promoted Comments

WTF? If someone has root access they can exploit you? This required a front page news story?? The "researchers" got what they wanted.

You call the SEC, I'll hit Costco for popcorn.

I think persistence is the real issue here. Obviously root access means you're already powned. But with this exploit you can't roll back to yesterday's full disaster recovery image and move on. Hell, even formmattimg the drives and reuse the hardware after a breach is impossible. Nothing can be trusted if a trusted compute processor can run a malicious firmware.

WTF? If someone has root access they can exploit you? This required a front page news story?? The "researchers" got what they wanted.

You call the SEC, I'll hit Costco for popcorn.

The persistence is a bit of a downer: It's not just "someone who has root access" but "someone who ever had root access at some point in the history of that computer unless you replace the CPU and/or motherboard".

That's the big downside of doing the "ooh, OS is too insecure so we'll just move some things into Safe Trusted Firmware" school of design. Unless that is ironclad you now have something that will survive anything short of a trip to the shredder.

I do not know what is more disheartening. The flaws themselves, or the fact that someone weaponised them in an attempt to manipulate the stock price, and that it doesn’t even seem shocking animore.

Of course they did, and of course they will profit from it, and the people responsible will not even be condemned by everyone: some will defend their lack of morals by saying that the fact they made money out of it is the proof they had to do it, and kudos to them.

Meanwhile, stealing money is still wrong, profiting out of someone else’s misery is still a sign that you are watching a morally bankrupt person, and those people are complete scum and not « savvy entrepreneurs ».

Wow. Full on clickbait headline, and the article isn't much better. This article needs to be pulled, and honestly Dan Goodwin needs to have a serious talk with the senior editors. How in the Hell did this crap get posted?

Actually, this is interesting in 2 ways:1) it highlights the level of effort and sophistication that some short sellers may be willing to deploy to get what they want (i.e., a drop in the stock)2) Dan took the time to gather the perspective of different researchers, and it seems there might be some underlying element of truth to the claim, even if how it's presented is grossly exaggerated.

And as a bonus, 3) People have been on AMD's case for a while now about lack of transparency and information about Trust Zone, which sits at the heart of the trust architecture of Zen. Maybe this will help build enough pressure that they are forced to release better documentation and even open-source the associated firmware and other software to regain trust from buyers (and investors). I'm not holding my breath, but one can hope...

As already pointed out by many people and the article, there are many problems with their "disclosure":

And none of those have to do with whether the vulns are real or not. They can be sleazebags and still be correct (it'll be more profitable for them if they are). There's no reason to think AMD's chips aren't as riddled with bugs and insecurities as Intel's are, especially when they're outsourcing critical components to companies like ASUSTek that have a history of ignoring security. So the first time people really look at them they really might find a lot of holes.

I don't mean to call you out specifically on that, because this whole comment section is just festering with it. 'I like AMD. I don't want to hear this. Oh these guys are sleazebags, so I can focus on the source and pretend this doesn't exist. Yay AMD, the giant corporation I have pledged my fealty to!' (Substitute <company> for AMD depending on the article).

On one hand it's disheartening to see people still fanboying for tech companies, on the other hand it's an amusing reversal of the day people thought Spectre and Meltdown were only Intel.

Well, due to the language of the report and due to the fact that they bothered to put up a scareware site (forgot the link, saw it on hacker news), I read this as one of: "AMD refused to hire us", "We're playing with AMD's stock price" or "This report and site sponsored by Intel".

I expect one mitigating circumstance is that the technology is new, which means the scope of the problem is small. That, as opposed to learning that old chips have been compromised for years and years...

Unless Anandtech is fabricating, it seems like this is a smear campaign against AMD. They gave AMD almost no notice, hired a PR firm, registered the website where they dropped the flaws nearly 3 weeks ago...

If they are legitimate flaws, this is definitely poor disclosure practice and seemed calculated to hurt AMD.

Typical notice appears to be 90 days before going public (if not longer).

Well, due to the language of the report and due to the fact that they bothered to put up a scareware site (forgot the link, saw it on hacker news), I read this as one of: "AMD refused to hire us", "We're playing with AMD's stock price" or "This report and site sponsored by Intel".

Unless Anandtech is fabricating, it seems like this is a smear campaign against AMD. They gave AMD almost no notice, hired a PR firm, registered the website where they dropped the flaws nearly 3 weeks ago...

If they are legitimate flaws, this is definitely poor disclosure practice and seemed calculated to hurt AMD.

Typical notice appears to be 90 days before going public (if not longer).

Hiring a PR firm and setting up a dedicated site for the vulnerabilties is kinda understandable. Irresponsible disclosure for possible financial gain is definitely not.

It's worth noting that the company behind this gave very short notice, and are known for short-selling stock...

That's mentioned in the article.

Regardless of the severity of these vulnerabilities, that combined with the lack of responsible disclosure is kinda sketchy.

Also the name "MasterKey" is clearly something chosen by the PR firm of the short seller not the researchers. Security researchers invariably use something obtuse or punny. This is easy for the average reader to grasp and enormously misleading, since it makes it sound like they can take over your system which isn't the case at all since you HAVE TO LET THE ATTACKER REINSTALL YOUR SYSTEM BIOS.

Unless Anandtech is fabricating, it seems like this is a smear campaign against AMD. They gave AMD almost no notice, hired a PR firm, registered the website where they dropped the flaws nearly 3 weeks ago...

If they are legitimate flaws, this is definitely poor disclosure practice and seemed calculated to hurt AMD.

Typical notice appears to be 90 days before going public (if not longer).

These vulnerabilities are no worse than run-of-the-mill malware, they all require either physical access or administrator permissions. The reason Meltdown was so problematic was because you could peek into next door processes without needing any of these on virtual server farms.

So no one has a admin access to a VM with the ability to run untrusted code? I would assume that could allow the necessary access if the hypervisor doesn't properly shield these components. And if the malware is that difficult to detect and compromises the hardware would make all the VMs exploitable.

Also just because it requires admin access doesn't make it useless. If it allows the malware to be persistent or to evade behavior based malware scans. It could still be worth using even if you already have admin access.

Assuming a broke into your house, yea I can steal or break your safe but you'll know that. With this I could get the code to your safe and make sure there is something there worth stealing. And you might never know I was there.

Israeli politics and business in general have been hit by some high end corruption cases lately, including the PM.

While these flaws may exist, the presentation and publication make it appear they are trying to hurt AMD share prices.

not to mention Intel Israel contains much R & D. They could also be looking to bring SPECTRE/MELTDOWN level of publicity to AMD chips to neutralize the slowing performance of Intel chips patched with the microcode fixes.

they could also be trying to equalize the flaws in Intel's Mangement Engine which is very similar to these flaws. Sometimes equalizing the playing field is as good as winning if you are already much larger.

All of these appear to be vulnerabilities in the Secure Processor firmware rather than hardware. Some affect the boot time code, and others are exploits in the "Secure OS." But they could all be properly and permanently fixed with a firmware update.

Since these are all new features, they probably also contain new code. It's disappointing, but not really surprising that it contains vulnerabilities.

EDIT: The ASMedia Promontory flaws are alleged to be partially hardware "Two sets of manufacturer backdoors discovered: One implemented in firmware, the other in hardware (ASIC)." Wonder if it's real, or just JTAG pins...

WTF? If someone has root access they can exploit you? This required a front page news story?? The "researchers" got what they wanted.

You call the SEC, I'll hit Costco for popcorn.

I think persistence is the real issue here. Obviously root access means you're already powned. But with this exploit you can't roll back to yesterday's full disaster recovery image and move on. Hell, even formmattimg the drives and reuse the hardware after a breach is impossible. Nothing can be trusted if a trusted compute processor can run a malicious firmware.

Right, just read the company disclaimer under the raport and think about their motives: "Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports," and "We have no plans to put out the full technical details to the public. We’re only sending to companies who are able to produce mitigations." - so no peer review. This all smells fishy.

Large-scale disclaimers about the veracity of the sources in the article, yet you still trumpet the FUD in the headline. It's a blow to my trust in the journalistic integrity of Ars Technica, and I say that as someone who has had this place has my browser home page since 1999. For shame.

WTF? If someone has root access they can exploit you? This required a front page news story?? The "researchers" got what they wanted.

You call the SEC, I'll hit Costco for popcorn.

The persistence is a bit of a downer: It's not just "someone who has root access" but "someone who ever had root access at some point in the history of that computer unless you replace the CPU and/or motherboard".

That's the big downside of doing the "ooh, OS is too insecure so we'll just move some things into Safe Trusted Firmware" school of design. Unless that is ironclad you now have something that will survive anything short of a trip to the shredder.

All of these appear to be vulnerabilities in the Secure Processor firmware rather than hardware. Some affect the boot time code, and others are exploits in the "Secure OS." But they could all be properly and permanently fixed with a firmware update.

Since these are all new features, they probably also contain new code. It's disappointing, but not really surprising that it contains vulnerabilities.

One positive outcome of this whole stinky operation may be that AMD finally yields to (long-standing) pressure and opens the black box that is its Trust Zone and associated firmware/software.

But I have to say, if the Trails of Bit guy is right, being able to massage code to allow unsigned firmware flashing is a grave grave security issue.

I skimmed over the 20 pages and they did not once mention if an exploit was possible via VM. In fact they were very light on details and instead had pages of possible scenarios assuming these exploits are living in the secure processor.

Well, due to the language of the report and due to the fact that they bothered to put up a scareware site (forgot the link, saw it on hacker news), I read this as one of: "AMD refused to hire us", "We're playing with AMD's stock price" or "This report and site sponsored by Intel".

WTF? If someone has root access they can exploit you? This required a front page news story?? The "researchers" got what they wanted.

You call the SEC, I'll hit Costco for popcorn.

The persistence is a bit of a downer: It's not just "someone who has root access" but "someone who ever had root access at some point in the history of that computer unless you replace the CPU and/or motherboard".

I know its possible to reset the TPM on Intel chips. Is it not possible to do that with the AMD chips?

The flaws—in AMD's EPYC, Ryzen, Ryzen Pro, and Ryzen Mobile lines of processors—require attackers to first gain administrative rights on a targeted network or computer, which is a hurdle that's difficult

Uh, difficult? I think not. Isn't privilege escalation one of the most common results of an exploit?

Privilege escalation is the scariest kind of exploit since it can get you admin access. Its still not easy to get root control of a system with generally good security practices.